Mar 19 2021

Serious Security: Mac “XcodeSpy” backdoor takes aim at Xcode devs

Category: App Security,Backdoor,Information SecurityDISC @ 10:11 am
Serious Security: Mac “XcodeSpy” backdoor takes aim at Xcode devs

Remember XcodeGhost?

It was a pirated and malware-tainted version of Apple’s XCode development app that worked in a devious way.

You may be wondering, as we did back in 2015, why anyone would download and use a pirated version of Xcode.app when the official version is available as a free download anyway.

Nevertheless, this redistributed version of Xcode seems to have been popular in China at the time â€“ perhaps simply because it was easier to acquire the “product”, which is a multi-gigabyte download, directly from fast servers inside China.

The hacked version of Xcode would add malware into iOS apps when they were compiled on an infected system, without infecting the source code of the app itself.

The implanted malware was buried in places that looked like Apple-supplied library code, with the result that Apple let many of these booby-trapped apps into the App Store, presumably because the components compiled from the vendor’s own source code were fine.

As we said at the time, “developers with sloppy security practices, such as using illegally-acquired software of unvetted origin for production builds, turned into iOS malware generation factories for the crooks behind XcodeGhost.”

As you probably know, this sort of security problem is now commonly known as a supply chain attack, in which a product or service that you assumed you could trust turned out to have had malware inserted along the way.

Meet “XcodeSpy”

Tags: Xcode devs, XcodeSpy

Mar 16 2021

Using IAM Solutions to Beat Deepfakes and Fraud

Category: 2FA,Access Control,App Security,Identity TheftDISC @ 8:18 am
Using IAM Solutions to Beat Deepfakes and Fraud
IAM fraud JumpCloud

AI and ML technologies have made great strides in helping organizations with cybersecurity, as well as with other tasks like chatbots that help with customer service.

Cybercriminals have also made great strides in using AI and ML for fraud.

“Today, fraud can happen without stealing someone else’s identity because fraudsters can create ‘synthetic identities’ with fake, personally identifiable information (PII),” explained Rick Song, co-founder and CEO of Persona, in an email interview. And fraudsters are leveraging new tricks, using the latest technologies, that allow them to slip past security systems and do things like open accounts where they rack up untraceable debt, steal Bitcoin holdings without detection, or simply redirect authentic purchases to a new address.

Some increasingly popular fraud tricks using AI and ML include:

  • Deepfakes that mimic live selfies in an attempt to circumvent security systems
  • Replicating a template across a dozen or more accounts to create fake IDs (these often use celebrity photos and their public data)
  • Mimicking the voice of high-level officials and corporate executives to extort personal information and money
  • Chatbots as phishing tools to gather personal information

“With this pace of evolution, companies are left at risk of holding the bag — they are not only losing money directly through things like loans and fees they can’t recoup and any restitution to impacted customers, but they’re also losing trust and credibility. Fraud costs the global economy over $5 trillion every year, but the reputational costs are hard to quantify,” said Song.

How IAM Tools Can Spot and Prevent High Tech Fraud

Tags: Deepfakes and Fraud, IAM Solutions

Mar 11 2021

Getting your application security program off the ground

Category: App Security,Information SecurityDISC @ 1:01 pm
Getting your application security program off the ground

“Application security was traditionally very low on CISOs’ priority list but, as the attacks targeting applications increase in frequency, it’s getting more attention,” Eugene Dzihanau, Senior Director of Technology Solutions at EPAM Systems, told Help Net Security.

“The application layer is quickly becoming more exposed to the outside world, drastically increasing the attack surface. Applications are deployed on the public cloud, mobile phones and IoT devices. Also, applications process a lot more data than before, making them a more frequent target of an attack.”

In addition to that, modern applications and tech stacks are evolving and becoming increasingly complex – applications are integrating more external dependencies and are becoming very interconnected through API calls. The increased complexity significantly increase the chance of security issues

“SAST scan results are massive, with very little insight into prioritizing fixes for critical or exploitable vulnerabilities. DAST rarely brings desired results without additional steps; the out of the box crawlers can rarely traverse the modern web applications,” he explained.

“This leaves glaring gaps in the security of deployment pipelines, security defects on the architecture level and third party/open source dependencies checks.”

“SAST scan results are massive, with very little insight into prioritizing fixes for critical or exploitable vulnerabilities. DAST rarely brings desired results without additional steps; the out of the box crawlers can rarely traverse the modern web applications,” he explained.

“This leaves glaring gaps in the security of deployment pipelines, security defects on the architecture level and third party/open source dependencies checks.”

Getting your application security program off the ground

Tags: application security program

Mar 07 2021

Poison packages – “Supply Chain Risks” user hits Python community with 4000 fake modules

Category: App Security,TrojanDISC @ 6:44 pm
Poison packages – “Supply Chain Risks” user hits Python community with 4000 fake modules

If you’ve ever used the Python programming language, or installed software written in Python, you’ve probably used PyPI, even if you didn’t realize it at the time.

PyPI is short for the Python Package Index, and it currently contains just under 300,000 open source add-on modules (290,614 of them when we checked [2021-03-07T00:10Z]).

You can download and install any of these modules automatically just by issuing a command such as pip install [nameofpackage], or by letting a software installer fetch the missing components for you.

Crooks sometimes Trojanise the repository of a legitimate project, typically by guessing or cracking the password of a package owner’s account, or by helpfully but dishonestly offering to “assist” with a project that the original owner no longer has time to look after.

Once the fake version is uploaded to the genuine repository, users of the now-hacked package automatically get infected as soon as they update to the new version, which works just as it did before, except that it includes hidden malware for the crooks to exploit.

Another trick involves creating Trojanised public versions of private packages that the attacker knows are used internally by a software company.

more on: Poison packages

Tags: Poison packages, Python

Jan 31 2021

Byron Roosa’s ‘A Look At Jython-Enhanced Reverse Engineering

Category: App Security,Information SecurityDISC @ 1:23 pm
BSidesSF 2020 – Byron Roosa’s ‘A Look At Jython-Enhanced Reverse Engineering With Ghidra’

Tags: Jython, Reverse Engineering

Jan 30 2021

Penetration Testing

Category: App Security,Web SecurityDISC @ 5:29 pm

Penetration Testing is a method that many companies follow in order to minimize their security breaches. This is a controlled way of hiring a professional who will try to hack your system and show you the loopholes that you should fix.

Before doing a penetration test, it is mandatory to have an agreement that will explicitly mention the following parameters −

>what will be the time of penetration test,

>where will be the IP source of the attack, and

>what will be the penetration fields of the system.

Penetration testing is conducted by professional ethical hackers who mainly use commercial, open-source tools, automate tools and manual checks. There are no restrictions; the most important objective here is to uncover as many security flaws as possible.

Source: to download a pdf copy of Burp Suite Cookbook

Jan 28 2021

Making a Success of Managing and Working Remotely

Category: App Security,cyber security,data securityDISC @ 12:07 am

Tags: remote security, working remotely

Dec 10 2020

Record Levels of Software Bugs Plague Short-Staffed IT Teams in 2020

Category: App SecurityDISC @ 12:47 am

As just one symptom, 83 percent of the Top 30 U.S. retailers have vulnerabilities which pose an “imminent” cyber-threat, including Amazon, Costco, Kroger and Walmart.

2020 is shaping up to be a banner year for software vulnerabilities, leaving security professionals drowning in a veritable sea of patching, reporting and looming attacks, many of which they can’t even see.

A trio of recent reports tracking software vulnerabilities over the past year underscore the challenges of patch management and keeping attacks at bay.

“Based on vulnerability data, the state of software security remains pretty dismal,” Brian Martin, vice president of vulnerability intelligence with Risk Based Security (RBS), told Threatpost.

Security researchers looked at CVE details across the Top 50 software vendors and found that since 1999, Microsoft is the hands-down leader with 6,700 reported, followed by Oracle with 5,500 and IBM with 4,600.

“New software is being released at a faster rate than old software is being deprecated or discontinued,” Comparitech’s Paul Bischoff told Threatpost. “Given that, I think more software vulnerabilities are inevitable. Most of those vulnerabilities are identified and patched before they’re ever exploited in the wild, but more zero days are inevitable as well. Zero days are a much bigger concern than vulnerabilities in general.”

Source: Record Levels of Software Bugs Plague Short-Staffed IT Teams in 2020




Tags: Software Bugs

Sep 29 2020

12 Bare-Minimum Benchmarks for AppSec Initiatives

Category: App SecurityDISC @ 1:40 pm

The newly published Building Security in Maturity Model provides the software security basics organizations should cover to keep up with their peers.

As application security methodology and best practices have evolved over more than a decade, the Building Security in Maturity Model (BSIMM) has been there each year to track how organizations are making progress. BSIMM11, released last week by Synopsys, is based on the software security practices in place at 130 different firms across numerous industries, including financial services, software, cloud, and healthcare.

The practices were measured by the model’s proprietary yardstick, which lumps 121 different software security metrics into four major domains: governance, intelligence, secure software development lifecycle (SSDL) touchpoints, and deployment. Each of these domains are further broken down into three practice categories containing numerous activities that slide from simple to very mature.

Similar to previous reports, BSIMM11 shows that most organizations are at the very least hitting the basics — including activities like performing external penetration testing and instituting basic software security training across development organizations. The following are the most common activities cited for each practice category, providing an excellent yardstick for the bare minimum that organizations should be doing to keep up with their peers.

Source: 12 Bare-Minimum Benchmarks for AppSec Initiatives







DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles

Subscribe to DISC InfoSec blog by Email

👉 Download a Virtual CISO (#vCISO) and Security Advisory Fact Sheet & Cybersecurity Cheat Sheet

Download a Security Risk Assessment Steps paper!




Jul 01 2020

40% of security pros say half of cyberattacks bypass their WAF – Help Net Security

Category: App Security,Web SecurityDISC @ 10:59 pm

There are growing concerns around the number of businesses vulnerable to cyberattacks due to hackers’ ability to bypass their WAF.

Source: 40% of security pros say half of cyberattacks bypass their WAF – Help Net Security



Sorry About your WAF – Modern WAF Bypass Techniques
httpv://www.youtube.com/watch?v=nKJmgE-dYds







Download a Security Risk Assessment Steps paper!

Subscribe to DISC InfoSec blog by Email

Take an awareness quiz to test your basic cybersecurity knowledge

DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles




Tags: WAF, web app security

May 30 2020

API Security and Hackers: What’s the Need?

Category: App SecurityDISC @ 11:05 am

There is a considerable demand for data-centric projects, that is why companies have quickly opened their data to their ecosystem through REST or SOAP APIs.

Source: API Security and Hackers: What’s the Need? …

















Download a Security Risk Assessment Checklist paper!

Subscribe to DISC InfoSec blog by Email




Sep 23 2019

10 Most Critical API Security Risks

Category: App Security,Web SecurityDISC @ 2:23 pm

10 Most Critical API Security Risks [2019] – OWASP Foundation

Advanced Web Application Scanning with OWASP Zed Attack Proxy (ZAP)
httpv://www.youtube.com/watch?v=CbMKX8on9bA&list=PLqpLl_iGMLnCR5x6Smky2E2RdqCdqbYZ1

Web Application Security and OWASP – Top 10 Security Flaws
httpv://www.youtube.com/watch?v=j5PuYFCS0Iw

Ethical Hacking 101: Web App Penetration Testing
httpv://www.youtube.com/watch?v=2_lswM1S264


Subscribe to DISC InfoSec blog by Email




Tags: API security risks

May 13 2019

Most popular programming languages on stack overflow

Category: App Security,PythonDISC @ 4:26 pm

Most popular programming languages


 Subscribe in a reader




Apr 05 2019

How to completely and securely delete files in Windows

Category: App Security,File Security,Windows SecurityDISC @ 3:36 pm

To make sure a deleted file can’t be recovered, you’ll need to use a third-party shredding tool. Here’s a look at three such free programs: Eraser, File Shredder, and Freeraser.

Source: How to completely and securely delete files in Windows


Enter your email address:

Delivered by FeedBurner




Tags: Microsoft Windows, Windows, windows security

Mar 29 2019

Google’s most secure logon system now works on Firefox and Edge, not just Chrome

Category: 2FA,App SecurityDISC @ 3:26 pm

Better hardware security key support means our post-password future is one step closer to reality.

Source: Google’s most secure logon system now works on Firefox and Edge, not just Chrome






Subscribe to DISC InfoSec blog by Email




Mar 28 2019

How to set up two-factor authentication on all your online accounts

Category: 2FA,App SecurityDISC @ 1:47 pm

2FA is an important step in preventing your account from being accessed by unauthorized users — here’s how to enable 2FA on your accounts across the web.

Source: How to set up two-factor authentication on all your online accounts

 





Mar 09 2019

How to Print Comments Only in Word

Category: App SecurityDISC @ 1:35 pm

When collaborating on a document with several people, leaving comments is an essential part of the process. You can print the document along with comments, but what if you want you print just the comments? You can do that.

Source: How to Print Comments Only in Word

  • InfoSec Cheat Sheets





    • Feb 28 2019

    Cisco WebEx Meetings affected by a new elevation of privilege flaw

    Category: App SecurityDISC @ 2:10 pm

    A vulnerability in the update service of the Cisco Webex Meetings Desktop App for Windows could allow elevation of privilege

    Source: Cisco WebEx Meetings affected by a new elevation of privilege flaw


    Enter your email address:

    Delivered by FeedBurner




    Jan 23 2019

    Center for Internet Security releases Microsoft 365 benchmarks

    Category: App Security,Information SecurityDISC @ 11:01 am

    Follow the guidance in this CIS document to configure Microsoft 365 security settings to the level that suits your organization.

    Source: Center for Internet Security releases Microsoft 365 benchmarks





    Aug 23 2018

    Secure File Sharing from any device

    Category: Access Control,App Security,data securityDISC @ 4:36 pm

    Easy Desktop Access to Cloud Files

    Ditch Email Attachments. With your files in the cloud, you can easily share them with anyone — even if they’re outside your company firewall — with a simple link via email or straight from Box.

    Keep Everybody on the Same Page. Easily share files and folders, and add, move or edit files while always having the latest file version on hand.

    Preview Files Without Download. With Box, you can view 120+ types of files, including Word, Excel, PDF, AI, EPS, PSD, photos and more—without downloading a single file.

    Easily Share Your Workspace. Right click any folder to share instantly or open on box.com and invite your team to view, edit and upload files, turning folders into collaborative workspaces.

    Never Lose Files. A stolen laptop or hard drive crash doesn’t mean you lose your files. Safely store all of your work documents and projects in Box Drive.

     

    Box enables secure file sharing and collaboration so you can get real work done with anyone, from any device.

     

    • Secure File Sharing. Easily and securely share files—even sensitive or confidential ones—without worry.
    • Hassle-Free File Sharing. Ditch email attachments! Share any file with a simple link or straight from Box, with anyone you want.



    An Introduction to Box: The Modern Content Management Platform

    Discover how Box can solve simple and complex challenges, from sharing and accessing files on mobile devices to sophisticated business processes like data governance and retention.





    « Previous PageNext Page »